mirror of
https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nixos-config.git
synced 2024-11-25 12:31:27 +00:00
selfprivacy.userdata -> selfprivacy; SP modules -> selfprivacy.modules
This commit is contained in:
parent
f4fb0a9ce8
commit
80447abb2e
|
@ -2,8 +2,8 @@
|
|||
{
|
||||
services.selfprivacy-api = {
|
||||
enable = true;
|
||||
enableSwagger = config.selfprivacy.userdata.api.enableSwagger;
|
||||
b2Bucket = config.selfprivacy.userdata.backup.bucket;
|
||||
enableSwagger = config.selfprivacy.api.enableSwagger;
|
||||
b2Bucket = config.selfprivacy.backup.bucket;
|
||||
};
|
||||
|
||||
users.users."selfprivacy-api" = {
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
{ config, ... }:
|
||||
let
|
||||
cfg = config.selfprivacy.userdata;
|
||||
cfg = config.selfprivacy;
|
||||
in
|
||||
{
|
||||
services.restic.backups = {
|
||||
|
|
|
@ -37,11 +37,11 @@
|
|||
};
|
||||
};
|
||||
|
||||
services.do-agent.enable = if config.selfprivacy.userdata.server.provider == "DIGITALOCEAN" then true else false;
|
||||
services.do-agent.enable = if config.selfprivacy.server.provider == "DIGITALOCEAN" then true else false;
|
||||
|
||||
boot.cleanTmpDir = true;
|
||||
networking = {
|
||||
hostName = config.selfprivacy.userdata.hostname;
|
||||
hostName = config.selfprivacy.hostname;
|
||||
usePredictableInterfaceNames = false;
|
||||
firewall = {
|
||||
allowedTCPPorts = lib.mkForce [ 22 25 80 143 443 465 587 993 4443 8443 ];
|
||||
|
@ -53,12 +53,12 @@
|
|||
};
|
||||
nameservers = [ "1.1.1.1" "1.0.0.1" ];
|
||||
};
|
||||
time.timeZone = config.selfprivacy.userdata.timezone;
|
||||
time.timeZone = config.selfprivacy.timezone;
|
||||
i18n.defaultLocale = "en_GB.UTF-8";
|
||||
users.users.root.openssh.authorizedKeys.keys = config.selfprivacy.userdata.ssh.rootKeys;
|
||||
users.users.root.openssh.authorizedKeys.keys = config.selfprivacy.ssh.rootKeys;
|
||||
services.openssh = {
|
||||
enable = config.selfprivacy.userdata.ssh.enable;
|
||||
passwordAuthentication = config.selfprivacy.userdata.ssh.passwordAuthentication;
|
||||
enable = config.selfprivacy.ssh.enable;
|
||||
passwordAuthentication = config.selfprivacy.ssh.passwordAuthentication;
|
||||
permitRootLogin = "yes";
|
||||
openFirewall = false;
|
||||
};
|
||||
|
@ -71,14 +71,14 @@
|
|||
jq
|
||||
];
|
||||
environment.variables = {
|
||||
DOMAIN = config.selfprivacy.userdata.domain;
|
||||
DOMAIN = config.selfprivacy.domain;
|
||||
};
|
||||
system.autoUpgrade = {
|
||||
enable = config.selfprivacy.userdata.autoUpgrade.enable;
|
||||
allowReboot = config.selfprivacy.userdata.autoUpgrade.allowReboot;
|
||||
enable = config.selfprivacy.autoUpgrade.enable;
|
||||
allowReboot = config.selfprivacy.autoUpgrade.allowReboot;
|
||||
channel = "https://channel.selfprivacy.org/nixos-selfpricacy";
|
||||
};
|
||||
system.stateVersion = config.selfprivacy.userdata.stateVersion;
|
||||
system.stateVersion = config.selfprivacy.stateVersion;
|
||||
nix = {
|
||||
optimise.automatic = true;
|
||||
gc = {
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
{ config, pkgs, ... }:
|
||||
let
|
||||
cfg = config.selfprivacy.userdata;
|
||||
cfg = config.selfprivacy;
|
||||
dnsCredentialsTemplates = {
|
||||
DIGITALOCEAN = "DO_AUTH_TOKEN=REPLACEME";
|
||||
CLOUDFLARE = ''
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
let
|
||||
cfg = config.selfprivacy.userdata;
|
||||
cfg = config.selfprivacy;
|
||||
in
|
||||
{
|
||||
fileSystems = lib.mkIf cfg.useBinds {
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
let
|
||||
cfg = config.selfprivacy.userdata;
|
||||
cfg = config.selfprivacy;
|
||||
in
|
||||
{
|
||||
users.groups.acmerecievers = {
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
{ config, pkgs, ... }:
|
||||
let
|
||||
domain = config.selfprivacy.userdata.domain;
|
||||
domain = config.selfprivacy.domain;
|
||||
in
|
||||
{
|
||||
systemd = {
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
{ pkgs, lib, config, ... }:
|
||||
let
|
||||
cfg = config.selfprivacy.userdata;
|
||||
cfg = config.selfprivacy;
|
||||
in
|
||||
{
|
||||
fileSystems = lib.mkIf cfg.useBinds {
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
{ pkgs, lib, config, ... }:
|
||||
let
|
||||
cfg = config.selfprivacy.userdata;
|
||||
cfg = config.selfprivacy;
|
||||
in
|
||||
{
|
||||
fileSystems = lib.mkIf cfg.useBinds {
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
[
|
||||
[ "selfprivacy", "userdata", "domain" ],
|
||||
[ "selfprivacy", "userdata", "nextcloud" ],
|
||||
[ "selfprivacy", "userdata", "useBinds" ]
|
||||
[ "selfprivacy", "domain" ],
|
||||
[ "selfprivacy", "useBinds" ],
|
||||
[ "selfprivacy", "modules", "nextcloud" ]
|
||||
]
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
{
|
||||
options.selfprivacy.userdata.nextcloud = with lib; {
|
||||
options.selfprivacy.modules.nextcloud = with lib; {
|
||||
enable = mkOption {
|
||||
type = types.nullOr types.bool;
|
||||
default = false;
|
||||
|
@ -13,13 +13,13 @@
|
|||
|
||||
config =
|
||||
let
|
||||
cfg = config.selfprivacy.userdata;
|
||||
secrets-filepath = "/etc/nixos/userdata/userdata.json";
|
||||
sp = config.selfprivacy;
|
||||
secrets-filepath = "/etc/selfprivacy/secrets.json";
|
||||
db-pass-filepath = "/var/lib/nextcloud/db-pass";
|
||||
admin-pass-filepath = "/var/lib/nextcloud/admin-pass";
|
||||
hostName = "cloud.${cfg.domain}";
|
||||
hostName = "cloud.${sp.domain}";
|
||||
in
|
||||
lib.mkIf cfg.nextcloud.enable
|
||||
lib.mkIf sp.modules.nextcloud.enable
|
||||
{
|
||||
system.activationScripts.nextcloudSecrets = ''
|
||||
mkdir -p /var/lib/nextcloud
|
||||
|
@ -31,9 +31,9 @@
|
|||
chmod 0440 ${admin-pass-filepath}
|
||||
chown nextcloud:nextcloud ${admin-pass-filepath}
|
||||
'';
|
||||
fileSystems = lib.mkIf cfg.useBinds {
|
||||
fileSystems = lib.mkIf sp.useBinds {
|
||||
"/var/lib/nextcloud" = {
|
||||
device = "/volumes/${cfg.nextcloud.location}/nextcloud";
|
||||
device = "/volumes/${sp.modules.nextcloud.location}/nextcloud";
|
||||
options = [ "bind" ];
|
||||
};
|
||||
};
|
||||
|
@ -64,8 +64,8 @@
|
|||
};
|
||||
};
|
||||
services.nginx.virtualHosts.${hostName} = {
|
||||
sslCertificate = "/var/lib/acme/${cfg.domain}/fullchain.pem";
|
||||
sslCertificateKey = "/var/lib/acme/${cfg.domain}/key.pem";
|
||||
sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem";
|
||||
sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem";
|
||||
forceSSL = true;
|
||||
extraConfig = ''
|
||||
add_header Strict-Transport-Security $hsts_header;
|
||||
|
@ -86,7 +86,7 @@
|
|||
}
|
||||
# FIXME do we really want to delete passwords on module deactivation!?
|
||||
//
|
||||
lib.mkIf (!cfg.nextcloud.enable) {
|
||||
lib.mkIf (!sp.modules.nextcloud.enable) {
|
||||
system.activationScripts.nextcloudSecrets =
|
||||
lib.trivial.warn
|
||||
(
|
||||
|
|
|
@ -1,16 +1,16 @@
|
|||
[
|
||||
[ "mailserver" ],
|
||||
[ "selfprivacy", "userdata", "domain" ],
|
||||
[ "selfprivacy", "userdata", "email" ],
|
||||
[ "selfprivacy", "userdata", "hashedMasterPassword" ],
|
||||
[ "selfprivacy", "userdata", "simple-nixos-mailserver" ],
|
||||
[ "selfprivacy", "userdata", "useBinds" ],
|
||||
[ "selfprivacy", "userdata", "username" ],
|
||||
[ "selfprivacy", "userdata", "users" ],
|
||||
[ "selfprivacy", "domain" ],
|
||||
[ "selfprivacy", "email" ],
|
||||
[ "selfprivacy", "hashedMasterPassword" ],
|
||||
[ "selfprivacy", "useBinds" ],
|
||||
[ "selfprivacy", "username" ],
|
||||
[ "selfprivacy", "users" ],
|
||||
[ "services", "dovecot2" ],
|
||||
[ "services", "opendkim" ],
|
||||
[ "services", "postfix", "group" ],
|
||||
[ "services", "postfix", "user" ],
|
||||
[ "services", "redis" ],
|
||||
[ "services", "rspamd" ]
|
||||
[ "services", "rspamd" ],
|
||||
[ "selfprivacy", "modules", "simple-nixos-mailserver" ]
|
||||
]
|
||||
|
|
|
@ -1,37 +1,37 @@
|
|||
{ config, lib, ... }:
|
||||
let
|
||||
cfg = config.selfprivacy.userdata;
|
||||
sp = config.selfprivacy;
|
||||
in
|
||||
{
|
||||
fileSystems = lib.mkIf
|
||||
(cfg.simple-nixos-mailserver.enable && cfg.useBinds)
|
||||
fileSystems =
|
||||
lib.mkIf (sp.modules.simple-nixos-mailserver.enable && sp.useBinds)
|
||||
{
|
||||
"/var/vmail" = {
|
||||
device = "/volumes/${cfg.email.location}/vmail";
|
||||
device = "/volumes/${sp.email.location}/vmail";
|
||||
options = [ "bind" ];
|
||||
};
|
||||
"/var/sieve" = {
|
||||
device = "/volumes/${cfg.email.location}/sieve";
|
||||
device = "/volumes/${sp.email.location}/sieve";
|
||||
options = [ "bind" ];
|
||||
};
|
||||
};
|
||||
|
||||
users.users = lib.mkIf cfg.simple-nixos-mailserver.enable {
|
||||
users.users = lib.mkIf sp.modules.simple-nixos-mailserver.enable {
|
||||
virtualMail = {
|
||||
isNormalUser = false;
|
||||
};
|
||||
};
|
||||
|
||||
selfprivacy.userdata.simple-nixos-mailserver =
|
||||
lib.mkIf cfg.simple-nixos-mailserver.enable {
|
||||
fqdn = cfg.domain;
|
||||
domains = [ cfg.domain ];
|
||||
selfprivacy.modules.simple-nixos-mailserver =
|
||||
lib.mkIf sp.modules.simple-nixos-mailserver.enable {
|
||||
fqdn = sp.domain;
|
||||
domains = [ sp.domain ];
|
||||
|
||||
# A list of all login accounts. To create the password hashes, use
|
||||
# mkpasswd -m sha-512 "super secret password"
|
||||
loginAccounts = {
|
||||
"${cfg.username}@${cfg.domain}" = {
|
||||
hashedPassword = cfg.hashedMasterPassword;
|
||||
"${sp.username}@${sp.domain}" = {
|
||||
hashedPassword = sp.hashedMasterPassword;
|
||||
sieveScript = ''
|
||||
require ["fileinto", "mailbox"];
|
||||
if header :contains "Chat-Version" "1.0"
|
||||
|
@ -43,7 +43,7 @@ in
|
|||
};
|
||||
} // builtins.listToAttrs (builtins.map
|
||||
(user: {
|
||||
name = "${user.username}@${cfg.domain}";
|
||||
name = "${user.username}@${sp.domain}";
|
||||
value = {
|
||||
hashedPassword = user.hashedPassword;
|
||||
sieveScript = ''
|
||||
|
@ -56,15 +56,15 @@ in
|
|||
'';
|
||||
};
|
||||
})
|
||||
cfg.users);
|
||||
sp.users);
|
||||
|
||||
extraVirtualAliases = {
|
||||
"admin@${cfg.domain}" = "${cfg.username}@${cfg.domain}";
|
||||
"admin@${sp.domain}" = "${sp.username}@${sp.domain}";
|
||||
};
|
||||
|
||||
certificateScheme = "manual";
|
||||
certificateFile = "/var/lib/acme/${cfg.domain}/fullchain.pem";
|
||||
keyFile = "/var/lib/acme/${cfg.domain}/key.pem";
|
||||
certificateFile = "/var/lib/acme/${sp.domain}/fullchain.pem";
|
||||
keyFile = "/var/lib/acme/${sp.domain}/key.pem";
|
||||
|
||||
# Enable IMAP and POP3
|
||||
enableImap = true;
|
||||
|
|
|
@ -13,10 +13,10 @@
|
|||
module // {
|
||||
imports = module.imports ++ [
|
||||
./config.nix
|
||||
{ mailserver = config.selfprivacy.userdata.simple-nixos-mailserver; }
|
||||
{ mailserver = config.selfprivacy.modules.simple-nixos-mailserver; }
|
||||
];
|
||||
options = module.options // {
|
||||
selfprivacy.userdata.simple-nixos-mailserver =
|
||||
selfprivacy.modules.simple-nixos-mailserver =
|
||||
module.options.mailserver;
|
||||
};
|
||||
};
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
jsonData: { lib, ... }:
|
||||
{
|
||||
selfprivacy.userdata = jsonData // {
|
||||
selfprivacy = jsonData // {
|
||||
hostname = lib.attrsets.attrByPath [ "hostname" ] null jsonData;
|
||||
domain = lib.attrsets.attrByPath [ "domain" ] null jsonData;
|
||||
timezone = lib.attrsets.attrByPath [ "timezone" ] "Europe/Uzhgorod" jsonData;
|
||||
|
@ -12,10 +12,6 @@ jsonData: { lib, ... }:
|
|||
username = lib.attrsets.attrByPath [ "username" ] null jsonData;
|
||||
hashedMasterPassword = lib.attrsets.attrByPath [ "hashedMasterPassword" ] null jsonData;
|
||||
sshKeys = lib.attrsets.attrByPath [ "sshKeys" ] [ ] jsonData;
|
||||
api = {
|
||||
enableSwagger = lib.attrsets.attrByPath [ "api" "enableSwagger" ] false jsonData;
|
||||
skippedMigrations = lib.attrsets.attrByPath [ "api" "skippedMigrations" ] [ ] jsonData;
|
||||
};
|
||||
dns = {
|
||||
provider = lib.attrsets.attrByPath [ "dns" "provider" ] "CLOUDFLARE" jsonData;
|
||||
useStagingACME = lib.attrsets.attrByPath [ "dns" "useStagingACME" ] false jsonData;
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
{ pkgs, config, ... }:
|
||||
{ config, ... }:
|
||||
let
|
||||
cfg = config.selfprivacy.userdata;
|
||||
cfg = config.selfprivacy;
|
||||
in
|
||||
{
|
||||
users.mutableUsers = false;
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
with lib;
|
||||
{
|
||||
options.selfprivacy.userdata = {
|
||||
options.selfprivacy = {
|
||||
# General server options
|
||||
hostname = mkOption {
|
||||
description = "The hostname of the server.";
|
||||
|
@ -205,5 +205,9 @@ with lib;
|
|||
default = false;
|
||||
description = "Whether to bind-mount vmail and sieve folders";
|
||||
};
|
||||
##############
|
||||
# Modules #
|
||||
##############
|
||||
# modules =
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
{ config, ... }:
|
||||
{
|
||||
services.jitsi-meet = {
|
||||
enable = config.selfprivacy.userdata.jitsi.enable;
|
||||
hostName = "meet.${config.selfprivacy.userdata.domain}";
|
||||
enable = config.selfprivacy.jitsi.enable;
|
||||
hostName = "meet.${config.selfprivacy.domain}";
|
||||
nginx.enable = true;
|
||||
interfaceConfig = {
|
||||
SHOW_JITSI_WATERMARK = false;
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
{ config, ... }:
|
||||
let
|
||||
cfg = config.selfprivacy.userdata;
|
||||
cfg = config.selfprivacy;
|
||||
in
|
||||
{
|
||||
fileSystems = builtins.listToAttrs (builtins.map
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
{ config, ... }:
|
||||
let
|
||||
domain = config.selfprivacy.userdata.domain;
|
||||
domain = config.selfprivacy.domain;
|
||||
in
|
||||
{
|
||||
users.groups.ocserv = {
|
||||
|
@ -13,7 +13,7 @@ in
|
|||
group = "ocserv";
|
||||
};
|
||||
services.ocserv = {
|
||||
enable = config.selfprivacy.userdata.ocserv.enable;
|
||||
enable = config.selfprivacy.ocserv.enable;
|
||||
config = ''
|
||||
socket-file = /var/run/ocserv-socket
|
||||
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
{ config, lib, ... }:
|
||||
let
|
||||
domain = config.selfprivacy.userdata.domain;
|
||||
domain = config.selfprivacy.domain;
|
||||
in
|
||||
{
|
||||
services.nginx = {
|
||||
|
|
Loading…
Reference in a new issue